Re: [linux-security] Linux virus

[jimd () STARSHINE ORG (Jim Dennis)]

Aleph One seems to have said:
> ugh :)
>
> Today I became infected with the bliss virus, any info on this would be
> appreciated!  How do I scan for files infected and is it possible to
> remove it?  I first noticed the infection when running a program (not as
> root) messages flashed on the screen about transversing directories and
> such.  The program (gimp) had been working fine since I downloaded the
> binary for gimp from their main site.  The gimp people told me they have
> not been receiving complaints their binaries are infected, so something
> else must be the source.

        ....

> I am presently using this to scan for it in my home dir:
> grep infected /home/peter/**/*(xD/)
> Any help would be great!!!
>
> Rgds,
> Peter.
>
> [mod: It looks as if lots of debugging strings are still in the binary.
> Odd that this "debugging version" would be in the wild.
> Peter, can you verify that it indeed is a virus? Unless it knows of
> ways to become root, you should be safe if you add a new user-account,
> place an infected binary and a few uninfected binaries in that users
> account. Make sure that you have an unmodified version available for
> comparison.
> On one hand I don't like to approve this until Peter has verified this,
> but on the other hand if there is really a linux-virus on the loose, you
> all would like to hear about it ASAP right? -- REW]

        Peter and all,

        I've forwarded your message and the reply by Todd to
        the Chief AV Researcher at McAfee Associates (the
        premier PC Anti-virus company).

        Jimmy is a friend of mine (I used to be the sysadmin
        there) and has assured me that he will look into it
        first thing in the morning (he's here at my house now).

        This would be the first "live and in-the-wild" Linux
        virus that I've ever heard of -- have I been missing
        something?

        In any event -- McAfee may be able to add this to
        their existing uvscan product.  uvscan scan Linux
        filesystems for DOS and Windows (including Word Macro)
        viruses.   It may be possible for the AV team to
        simply add bliss' signature to the next release -- and
        it may even be possible for them to create a remover.

        However -- the current version of this is almost
        guaranteed not to detect or remove this (unless
        someone at McAfee's AV team discovered this without
        telling the boss).

        I noticed your detection mechanism -- it seems like
        we could add something to the zmagic file to allow
        the stock Linux 'file' command to identify Bliss
        infected binaries.  Then a command like:

                find / -print | { while read i; do
                        file $i | grep "Bliss Infected" && \
                        echo $i
                        #do something about the infected files
                        done
                        }

        Would do the trick.  An interim solution would be
        to simply rm all infected files and restore from
        CD or via FTP.

        If you could cut a tape or other backup of your
        system in its infected state it might be of
        interest to the McAfee team.

        Who knows how to update the zmagic file?

        Jimmy has asked me to let everyone on this list
        know that if you want updates on this issue -- or
        if you have further information, please feel free
        to forward it through me or directly to cjkuo () mcafee com.


        I suppose this would be a great time to recommend
        that more people get and install 'tripwire' and
        cops and that everyone use the 'chattr +i' command to
        help protect their libs and binaries from lame attacks
        such as these.

                tripwire and cops are available at
                the COAST archive at cs.purdue.edu

                Information about using 'chattr' to
                mark you files as immutable is in the
                Linux-Tips HOWTO (actually submitted
                to them by moi).

                Note -- currently the immutable flag under
                ext2fs is of limited security value since
                any root run program that wants to can
                simply chattr it back.  However -- it would
                be effective against crude and lame attacks
                like this one (as described in Todd's excerpt).

                The addition of a BSD-like 'securelevel'
                (which is in the works for the 2.1 kernels)
                will make the "immutable" flag a viable
                security feature.

        A final note:

        This should serve as yet another reminder that we
        must always be aware of the trust that we place in
        the sources for all of our files.

        The fact that a system is a single-user workstation
        should not lull anyone of us into allowing the admin
        of that system to neglect proper ownership and permissions
        conventions.

        Here's a one line script to find any files on your path
        to which you have write access (run this under
        your normal login id).


#! /bin/bash
        ## find.wx-files
find $(echo $PATH | tr : " ") -type f | \
        { while read i; do [ -x $i -a -w $i ] && ls -l $i ; done }

        While doing this I discovered several files that
        were writeable by me in my normal account (I was a
        member of the 'root' group.  Red Hat 3.03 leaves
        a number of X11R6 binaries group writable.

        I've fixed that now (and permissions don't prevail
        over ext2fs attributes anyway).


--
Jim Dennis,                                info () mail starshine org
Proprietor,                          consulting () mail starshine org
Starshine Technical Services              http://www.starshine.org